Skip to main content
SpringerLink
Log in

Throttling spoofed SYN flooding traffic at the source

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such attacks. Among different IP spoofing techniques, which include random spoofing, subnet spoofing and fixed spoofing, subnet spoofing is the most difficult type to fight against. In this paper, we propose a simple and efficient method to detect and defend against TCP SYN flooding attacks under different IP spoofing types, including subnet spoofing. The method makes use of a storage-efficient data structure and a change-point detection method to distinguish complete three-way TCP handshakes from incomplete ones. This lightweight approach makes it relatively easy to deploy the scheme as its resource requirement is reasonably low. Simulation experiments consistently show that our method is both efficient and effective in defending against TCP-based flooding attacks under different IP spoofing types. Specifically, our method outperforms others in achieving a higher detection rate yet with lower storage and computation costs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. S. Abdelsayed, D. Glimsholt, C. Leckie, S. Ryan and S. Shami, An efficient filter for denial-of-service bandwidth attacks, in: IEEE Global Telecommunications Conference (GLOBECOM’03) (2003), Vol. 3, pp. 1353–1357.

  2. B.H. Bloom, Space/time trade-offs in hash coding with allowable errors, Communications of the ACM 13(7) (1970) 422–426.

    Article  Google Scholar 

  3. B. Brodsky, Nonparametric Methods in Change-Point Problems (Kluwer Academic Publishers, The Netherlands, 1993).

    Google Scholar 

  4. E. Chan, H. Chan, K. Chan, V. Chan, S. Chanson and etc, IDR: An intrusion detection router for defending against distributed denial-of-service(DDoS) attacks, in: Proceedings of the 7th International Symposium on Parallel Architectures, Algorithms and Networks 2004(ISPAN’04) (2004), pp. 581–586.

  5. C. Estan, K. Keys, D. Moore and G. Vargese, Building a better NetFlow, in: ACM SIGCOMM (2004), pp. 39–42.

  6. P. Ferguson and D. Senie, Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing (2000).

  7. B. Jenkins, A new hash functions for hash table lookup (1997).

  8. D. Knuth, The Art of Computer Programming, volume 3 of Sorting and Searching (Addison-Wesley, 1975).

  9. R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung and other, Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation, in: the 2000 DARPA Information Survivability Conference and Exposition (2000).

  10. X. Luo and R.K.C. Chang, On a new class of pulsing denial-of-service attacks and the defense, in: Network and Distributed System Security Symposium 2005(NDSS2005) (San Diego, California, 2005).

  11. J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communications Review 34(2) (2004) 39–54.

    Article  Google Scholar 

  12. V. Paxson, End-to-end routing behavior in the Internet, IEEE/ACM Transactions on Networking 5(5) (1997) 601–615.

    Article  Google Scholar 

  13. J. Postel, Transmission control protocol: DARPA internet program protocol specification, RFC 793 (1981).

  14. C.L. Schuba, I. Krsul, M. Kuhn, E.H. Spafford, A. Sundaram and D. Zamboni, Analysis of a denial of service attack on TCP, in: Proceedings of the 1997 IEEE Symposium on Security and Privacy, IEEE Computer Society (1997), pp. 208–223.

  15. A.C. Snoeren, Hash-based IP traceback, in: Proceedings of the ACM SIGCOMM Conference (ACM Press, 2001), pp. 3–14.

  16. D.X. Song and A. Perrig, Advanced and authenticated marking schemes for IP traceback, in: Proceeding of Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM) (2001), pp. 878–886.

  17. H. Wang, D. Zhang and K.G. Shin, Detecting SYN flooding attacks, in: Proceedings of Annual Joint Conference of the IEEE Computer and Communications Societies(INFOCOM) (2002), Vol. 3, pp. 1530–1539.

  18. H. Wang, D. Zhang and K.G. Shin, Change-point monitoring for the detection of dos attack, IEEE Transactions on Dependable and Secure Computing 1(4) (2004) 193–208.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Hong Kong University of Science and Technology, Clear Water Bay, Kowloon, Hong Kong, China

    Wei Chen & Dit-Yan Yeung

  2. College of Computer, Nanjing University of Posts and Telecommunications, Nanjing, 210003, Jiangsu, China

    Wei Chen

Authors
  1. Wei Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dit-Yan Yeung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Chen.

Additional information

The research presented in this paper has been supported by a research grant from the Research Grants Council of the Hong Kong Special Administrative Region, China under the Area of Excellence (AoE) Scheme (Project No. AoE/E-01/99).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chen, W., Yeung, DY. Throttling spoofed SYN flooding traffic at the source. Telecommun Syst 33, 47–65 (2006). https://doi.org/10.1007/s11235-006-9006-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-006-9006-0

Keywords

Search

Navigation